Porn site xHamster served malware via rogue advertisement

The popular porn site xHamster has for a while shown a rogue advertisement that infects vulnerable visitors with malware. Once whose computer was affected, it generated traffic to advertisements to generate revenue for the malware creators.

XHamster is a popular porn site, according to Alexa, with a rank of 68 in the list of the most popular websites on the internet. According to Malwarebytes, which discovered the vulnerability, the website was the victim of a rogue advertisement. It was shown via advertising provider TrafficHaus.

In a blog post, Malwarebytes explains how ingenious the malware creators went to work. For example, in their script they used Google’s shortener service to refer visitors to another website via the advertisement. On that site, the creators checked whether potential victims were running Norton or Kaspersky security software. Once that was not the case, the attack continued.

The malware then checked whether the xHamster visitor had a vulnerable version of Internet Explorer. Specifically, the program looked for the presence of CVE-2014-4130, a memory vulnerability. If this could be answered in the affirmative, the script injected the computer with Bedep. This malware generates undetected traffic for advertising campaigns.

Malwarebytes says it has now informed TrafficHaus about the malware. The ad provider would now have removed the malicious advertising. The security company emphasizes that anyone who does not want to take a risk must have the latest software versions installed.

Porn sites serve malware with some regularity. Infections usually occur through custom banners on ad networks. The consequences can be immense: such sites attract millions of visitors. In February, RedTube was the victim of a similar attack. Then malicious people even managed to modify the source code of the main page through a hidden iframe.